CNS Policies

Back to home

CNS Policies

GCP Knowledge Base

GCP Knowledge Base

Security checks and vulnerability fixes for GCP.

Google Cloud VPC

Open RPC

Metadata Included In Firewall Logging

Open Oracle

Open NetBIOS

All Ports Open

Open SSH

Open Kibana

Open SMTP

Open Hadoop HDFS NameNode WebUI

Open FTP

Open VNC Client

Open RDP

Open Salt

Open SMBoTCP

Open Hadoop HDFS NameNode Metadata Service

Firewall Rule Logs Disabled

Open Telnet

Open MYSQL

Open Cassandra

Open Docker

Private Access Disabled

Open PostgreSQL

Open Oracle Auto Data Warehouse

Open SQL Server

Open Redis

Open MSSQL

Sub Networks Flow Logs Disabled

Open MongoDB

Open DNS

Open VNC Server

Open CIFS

See more

Google Cloud IAM

Service Account Keys Not Generated By Google

Service Over Per Account Failure Limit

Personal Accounts are in Use

IAM Users With Both Service Account User And Service Account Admin Role

Managed Service Accounts With Admin Access

User With IAM Service Account User Role

Service Account Key Rotation Due

Users with Admin and CryptoKey Roles

See more

Google Cloud Load Balancing

Load Balancing Backend Service Logging Disabled

Load Balancing CDN Disabled

Security Policy Disabled

Load Balancers Using Insecure Ciphers

Load Balancing HTTPS Disabled

See more

Google Cloud Logging

Audit Logging Not Configured Properly

VPC Network Log Alert Missing

Log Encryption Disabled

Project Ownership Log Alert Missing

Audit Configuration Log Alert Missing

VPC Network Route Log Alert Missing

Dangling Log Sink Bucket

Log Sinks Disabled

VPC Firewall Rule Log Alert Missing

Audit Logging Exempted Members

Custom Role Log Alert Missing

SQL Configuration Log Alert Missing

Storage Permissions Log Alert Missing

See more

Google Cloud Kubernetes Engine

Cluster Not Using Least Privilege

Master Authorized Network Disabled

Logging Disabled

Basic Authentication Enabled

Web Dashboard Enabled

Legacy Authorization Enabled

Secure Boot Disabled

Cluster Encryption Not Desired Level

Node Encryption Not On Desired Protection Level

Automatic Node Repair Disabled

Alias IP Ranges Disabled

Shielded Nodes Disabled

Monitoring Disabled

Default Service Account Used

Private Endpoint Disabled

COS Image Disabled

Integrity Monitoring Disabled

Network Policy Disabled

Kubernetes Alpha Enabled

Automatic Node Upgrades Disabled

Private Cluster Disabled

See more

Google Cloud Pub/Sub

Pub/Sub Subscriptions Dead Lettering Disabled

GCP Pub/Sub Topics Low Encryption

Google Compute Engine

Old Persistent Disk Snapshots Used

VM Max Instances Limit Reached

Instance Default Service Account Used

IP Forwarding Enabled

Instance Not Using Desired Machine Image

VM Disk Image Publicly Accessible

VM Instance On Host Maintenance Not Configured

Instance Template Machine Type Not Desired

Instance Automatic Restart Disabled

Shielded VM Disabled

Instance Disk Encryption Not As Desired

Instances Not Multi Zonal

Autoscale Disabled

Instance Is Not Desired Machine Type

Preemptible VM Instance Used

Project Wide SSH Enabled

VM Instance Disks Auto Delete Enabled

VM Instances Default Privilege

Managed VM Instance Group Automatic Healing Disabled

VM Instance Deletion Protection Missing

OS Login 2FA Disabled

OS Login Disabled

Connect Serial Ports Enabled

Instance Public Access Enabled

See more

Google Cloud Key Management Service (KMS)

Key Publicly Accessible

Key Rotation Disabled

Key Management Low Encryption

Google Cloud DNS

DNS Security RSA SHA1 Enabled

DNS Security Disabled

Google Cloud Storage

Bucket Logging Disabled

Bucket Customer-Managed Encryption Disabled

Lifecycle Management Rules Missing

Storage Bucket Retention Policy Not Locked

Bucket Uniform Level Access Disabled

Cloud Storage Bucket Versioning Disabled

Storage Bucket Retention Policy Expired

Storage Bucket Retention Policy About to Expire

Storage Bucket Retention Policy Not Set

Storage Bucket Publicly Accessible

See more

Google Cloud Dataproc

Customer Managed Encryption Disabled

Google Cloud SQL

SQL Server Certificates About To Expire

Any Host Access For Root User Enabled

SQL Cross DB Ownership Chaining Enabled

MySQL Local Infile Enabled

PostgreSQL Checkpoint Logs Disabled

PostgreSQL Min Duration Logs Enabled

PostgreSQL Disconnection Logs Disabled

Root Password Not Set For MySQL Instances

Mysql Version Not As Desired

PostgreSQL Version Not As Desired

SQL Automated Backups Disabled

Public IP is attached to SQL instances

PostgreSQL Max Connections Not As Desired

SQL Contained Database Authentication Enabled

PostgreSQL Undesired Error Logging Level

SSL Disabled For SQL Databases

MySQL Slow Query Logs Disabled

SQL Database Publicly Accessible

SQL Server Certificates Expired

DB Non-Restorable

SQL Automatic Storage Increase Disabled

PostgreSQL Temp File Logs Disabled

SQL Automatic Failover To Another Zone Missing

SQL Instance Customer-Managed Encryption Disabled

PostgreSQL Connection Logs Disabled

PostgreSQL Lock Wait Logs Disabled

See more

Google Cloud Spanner

Spanner Instance Node Count Above Allowed Count

Google Cloud Deployment Manager

Deployment Instances Expired

Google Cloud BigQuery

Public Dataset Policy

Customer Managed Encryption Disabled

Google Cloud Dataflow

Dataflow Jobs Encryption Not At Desired Level